You Should Have the Right to Sue Companies That Violate Your Privacy

You Should Have the Right to Sue Companies That Violate Your Privacy

It is not enough for government to pass laws that protect consumers from corporations that harvest and monetize their personal data. It is also necessary for these laws to have bite, to ensure companies do not ignore them. The best way to do so is to empower ordinary consumers to bring their own lawsuits against the companies that violate their privacy rights. Such “private rights of action” are among EFF’s highest priorities in any data privacy legislation.

For example, while there is a lot to like about the new California Consumer Privacy Act (A.B. 375 and S.B. 1121), a significant flaw is its lack of a private right of action (except as to some kinds of data breaches). We will work this year to amendCCPA to add consumer enforcement. The California Attorney General, who has the primary duty to enforce the CCPA, supports consumer enforcement, explaining:

The lack of a private right of action, which would provide a critical adjunct to governmental enforcement, will substantially increase the OAG’s need for new enforcement resources. I urge you to provide consumers with a private right of action under the CCPA.

Likewise, when EFF reviews the many federal data privacy bills that have circulated since the Cambridge Analytica scandal first broke earlier this year, one of our primary goals is to ensure that these bills include a private right of action. (We also work to ensure that any federal data privacy bill doesnotpreemptstrongerstatelaws.)

Consumer enforcement is part of EFF’s “bottom-up” approach to public policy. Ordinary technology users should have the power to decide for themselves whether to bring a lawsuit to enforce their statutory privacy rights. EFF itself has gonetocourt to enforce digital privacy statutes. We also have long advocated for private rights of action to be included in dataprivacylaws, among other kinds of laws.

Enforcement by government officials is a start, but not enough by itself. Agencies may fail to enforce privacy laws due to lack of resources. For example, the ongoing federal budget impasse shut down the FTC’s investigation of Facebook’s data privacy practices, including whether Facebook violated its 2011 consent order with the FTC. Agencies may likewise be hamstrung by competing priorities.

Further, there is the inherent risk of regulatory capture, meaning undue influence over an enforcement agency by the companies supposedly subject to its overight. The recent leashing of the federal Consumer Financial Protection Bureau is just one example of why we should broadly diffuse the power to enforce statutes that protect the public. In essence, if everyone has the power to protect their own privacy, then special interests will have a harder time using their influence to shield themselves from accountability.

Looking ahead, a federal data privacy law might be passed with great fanfare. It might have all the substantive rules that EFF has long sought, including opt-in consent to collect or share a consumer’s data, a right to know what data was collected, data portability, and information fiduciary duties for the companies that we entrust with our data. But without a strong enforcement regime, such a law will protect privacy in name only. The best privacy enforcers are ordinary people. Legislators should give them the power to defend their own privacy.

When social media platforms enforce their content moderation rules unfairly, it affects everyone’s ability to speak out online. Unfair and inconsistent online censorship magnifies existing power imbalances, giving people who already have the least power in society fewer places where they are allowed a voice online.President Donald Trump...

It has taken more than a year, but the California Attorney General’s Office has implemented steps to protect immigrants from U.S. Immigration and Customs Enforcement (ICE) and other agencies that abuse the state’s public safety network, the California Law Enforcement Telecommunications System (CLETS). Following calls for reform from EFF and...

Over the next few years, the Department of Homeland Security (DHS) plans to implement an enormous biometric collection program which will endanger the rights of citizens and foreigners alike. The agency intends to collect at least seven types of biometric identifiers, including face and voice data, DNA, scars, and tattoos...

BOSTON — The Electronic Frontier Foundation (EFF) and the ACLU today asked a federal court to rule without trial that the Department of Homeland Security violates the First and Fourth Amendments by searching travelers’ smartphones and laptops at airports and other U.S. ports of entry without a warrant.The request...

Update: the time for this hearing has changed. It now begins at 1:30pm. San Francisco – At 1:30 pm on Wednesday, May 1, the Electronic Frontier Foundation (EFF) and the Law Office of Michael T. Risher will argue against the government’s motion to dismiss a lawsuit challenging law enforcement retention...